identity-based encryption: a 30-minute tour · identity-based encryption proposed by shamir in...

Identity-Based Encryption: A 30-Minute Tour

Palash Sarkar

Applied Statistics UnitIndian Statistical Institute, Kolkata

[email protected]

Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 1 / 22

Structure of the Presentation

A brief overview of IBE.

Some constructions.

Some issues.


Identity-Based Encryption

idA

idA

ciphertext

dA

PKG

BobAlice

PP

Bob sends a message to Alice.



Proposed by Shamir in 1984.



Proposed by Shamir in 1984.Solutions:

Cocks: 2001.Sakai, Ohgishi and Kasahara: 2000.

Described an identity-based key agreement scheme.

Boneh and Franklin: 2001.

Cocks’ solution was based on quadratic residues.

SOK and BF were based on bilinear maps.

BF provided an appropriate security model.

The BF work spurred a great deal of later research.


Identity-Based Encryption: Security Model

M M

chooseγ

γ

M or C

did

M or C

did

Adversary Simulator

C *

0 ,

Challenge

Queries−II

Set−Up

Queries−I

1 , id*

generate PP, mskPP

id

Guess

id



“Full” model: supports adaptive-identity and adaptive-ciphertextqueries in an interleaved fashion.



“Full” model: supports adaptive-identity and adaptive-ciphertextqueries in an interleaved fashion.

Restricted Models:

CPA-secure: Ciphertext queries not allowed.

Selective-identity: The challenge identity id∗ is to be provided bythe adversary even before receiving the PP.


Construction Approaches

Based on quadratic residues.

Based on lattices.

Based on bilinear pairings of elliptic curve groups.


Cocks’ IBE

Setting: N = pq;J(N): set of elements with Jacobi symbol 1 modulo N;QR(N): set of quadratic residues modulo N.


Cocks’ IBE


Public Parameters.N; u $← J(N) \QR(N);(u is a random pseudo-square;)hash function H() which maps identities into J(N).Master Secret Key: p and q.


Cocks’ IBE


Public Parameters.N; u $← J(N) \QR(N);(u is a random pseudo-square;)hash function H() which maps identities into J(N).Master Secret Key: p and q.

Key Gen: identity id.R = H(id); r =

√R or

√uR according as R is square or not;

did = r .


Cocks’ IBE (contd.)

Encryption: bit m, identity id.

R = H(id); t0, t1$← ZN ;

compute da = (t2a + uaR)/ta and ca = (−1)m · ( ta

N );

ciphertext: ((d0, c0), (d1, c1)).

Decryption: ciphertext ((d0, c0), (d1, c1)), identity id; did = r :

R = H(id); set a ∈ {0, 1} such that r2 = uaR;

set g = da + 2r ; (note g =((ta+r)2

ta

)

and so, ( gN ) =

( taN

);)

compute (−1)m to be ca · ( gN ).


Cocks’ IBE: Discussion

Ciphertext expansion is large; efficiency not good.

Boneh, Gentry and Hamburg (2007) obtained improved spaceefficiency by reusing randomness; but, encryption and decryptionefficiencies are worse.

Jhanwar and Barua (2008) consider the problem of improvingefficiency.


Cocks’ IBE: Discussion

Ciphertext expansion is large; efficiency not good.

Boneh, Gentry and Hamburg (2007) obtained improved spaceefficiency by reusing randomness; but, encryption and decryptionefficiencies are worse.

Jhanwar and Barua (2008) consider the problem of improvingefficiency.

This approach currently does not lead to practical schemes.


Lattice-Based Approach

Gentry, Peikert and Vaikuntanathan (2008).Based on a technique called efficient Pre-Image Sampling.

This technique naturally leads to a signature scheme.By considering the decryption key corresponding to an identity tobe the PKG’s signature on the identity (cf. Naor) suggests an IBEscheme.

Security is based on the hardness of the Learning With Errors(LWE) problem.

Later work have improved efficiency and provided constructions ofhierarchical IBE (HIBE) schemes.


Lattice-Based Approach: Pros and Cons

Motivation:

Multi-precision arithmetic not required;

Security based on the hardness of worst-case instance;

No known quantum algorithm for solving lattice problems.



Motivation:




These apply to all lattice problems and are not specific tolattice-based IBE.



Motivation:




These apply to all lattice problems and are not specific tolattice-based IBE.

Cons:

The sizes of keys and ciphertexts are far too large compared topairing-based schemes.


Pairing

e : G1 ×G2 → GT .

G1 and G2 are sub-groups of points on an elliptic curve; GT is asub-group of the multiplicative group of a finite field.Types of pairings:

Type-1: G1 = G2 (symmetric pairing).Type-2: An efficiently computable isomorphism from G2 to G1 isknown.Type-3: There is no known efficiently computable isomorphismfrom G2 to G1 (or vice versa).

Type-3 pairings are the fastest to compute and provide the mostcompact parameter sizes.


Boneh-Franklin IBE

Setup: G1 = 〈P〉, s $← Zp, Q = sP;PP = (P,Q,H1(),H2()), msk = s.

Key-Gen: Given id, compute Qid = H1(id); did = sQid.

Encrypt: Choose r $← Zp; C = (rP,M ⊕ H2(e(Q,Qid)r

︸︷︷︸))

Decrypt: Given C = (U,V )〉 and did computeV ⊕ H2(e(U, did)

︸︷︷︸) = M.


Boneh-Franklin IBE




︸︷︷︸))


︸︷︷︸) = M.

Correctness:

e(U, dID) = e(rP, sQID) = e(sP,QID)r = e(Q,QID)

r .


Boneh-Franklin IBE




︸︷︷︸))


︸︷︷︸) = M.

Correctness:

e(U, dID) = e(rP, sQID) = e(sP,QID)r = e(Q,QID)

r .

The scheme is CPA-secure; can be converted to CCA-secure usingstandard techniques such as the Fujisaki-Okamoto conversion.


BF-IBE: Discussion

Pros:

Simple, elegant, efficient, compact, ...

Leads naturally to signature scheme, HIBE and other primitives.

Best known practical attack: Solve DL in G1 or G2.


BF-IBE: Discussion

Pros:

Simple, elegant, efficient, compact, ...

Leads naturally to signature scheme, HIBE and other primitives.

Best known practical attack: Solve DL in G1 or G2.

Cons:

Security argument is based on random oracles.

Security reduction to the Decisional Bilinear Diffie-Hellman(DBDH) problem is not tight.


Some Important Pairing-Based IBE Schemes

Boneh-Boyen (2004): BB-IBE1 (also BB-IBE2).

Selective-id secure.

Introduced the so-called “commutative blinding” framework andalgebraic techniques to handle key-extraction queries.

Described using Type-1 pairings; can be easily modified to Type-3pairings.

Extends easily to HIBE.

Later used by Boyen-Mei-Waters to convert CPA-securepairing-based schemes to CCA-secure schemes.



Waters (2005):

Adaptive-id secure without random oracles.

Builds on BB-IBE1 and another work by Boneh and Boyen.Public parameter size rather large (≈ 160 EC points for 80-bitsecurity).

Independent follow up work by Naccache (2005) andChatterjee-Sarkar (2005) showed how to reduce the PP size;trade-off is a looser security reduction.

Original description in the Type-1 setting.Converted to Type-2 setting by Bellare and Ristenpart (2009).Converted to Type-3 setting by Chatterjee and Sarkar (2010).

Security analysis introduced a technique called artificial abort.Later analysis by Bellare-Ristenpart showed how to avoid artificialabort, but, at the cost of loosing tightness.



Gentry (2006):

Adaptive-id secure, no random oracles, tight reduction, efficient.

But, based on the hardness of a non-static assumption, i.e., thenumber of elements in the instance depends on the number ofqueries made by the adversary.



Waters (2009):Introduces a new technique called dual-system encryption.Adaptive-id secure, no random oracles, standard (static)assumption.Constant size public parameters.

For Waters (2005) and its variants the size of the PP asymptoticallygrows with the security parameter.

Extends to HIBE and BE schemes.Uses the Type-1 setting.

Simplification and conversion to Type-3 setting byRamanna-Chatterjee-Sarkar (2011).



Waters (2009):Introduces a new technique called dual-system encryption.Adaptive-id secure, no random oracles, standard (static)assumption.Constant size public parameters.

For Waters (2005) and its variants the size of the PP asymptoticallygrows with the security parameter.

Extends to HIBE and BE schemes.Uses the Type-1 setting.

Simplification and conversion to Type-3 setting byRamanna-Chatterjee-Sarkar (2011).

Lewko-Waters (2010):

Dual-system based IBE; extends to constant-size ciphertext HIBE.Using pairing over composite order groups and also Type-3setting.

An improved variant in the Type-3 setting (coming).


An Open Problem

Obtain an IBE scheme with the following properties.

Adaptive-id secure.

No random oracles.

Standard hardness assumptions.

(Efficient – constant size parameters; constant number of scalarmultiplications, pairings; ...)

Tight security reduction.


An Open Problem

Obtain an IBE scheme with the following properties.

Adaptive-id secure.

No random oracles.

Standard hardness assumptions.

(Efficient – constant size parameters; constant number of scalarmultiplications, pairings; ...)

Tight security reduction.

Or show that this cannot be done.


Secure and Efficient IBE: A Practical Issue

Which IBE scheme should I use?




QR, lattice-based or pairing-based?





For pairing-based schemes, the best known attack on allproposed schemes is to solve DL. So, do I use BF?





For pairing-based schemes, the best known attack on allproposed schemes is to solve DL. So, do I use BF?For pairing-based schemes, should I care about using Type-1versus Type-3 pairings.

From a security point of view, is the use of Type-3 pairing weakerbecause of the assumption that isomorphisms between G1 and G2

cannot be computed?





For pairing-based schemes, the best known attack on allproposed schemes is to solve DL. So, do I use BF?For pairing-based schemes, should I care about using Type-1versus Type-3 pairings.

From a security point of view, is the use of Type-3 pairing weakerbecause of the assumption that isomorphisms between G1 and G2

cannot be computed?

Should I care about security reductions? If so, thenShould I care about selective-id versus adaptive-id models?Should I care about the underlying assumptions? Should I careabout static versus non-static assumptions? Among staticassumptions, should I care about standard versus non-standardassumptions?Should I care about the tightness of reduction?


Thank you for your attention!


identity-based encryption: a 30-minute tour · identity-based encryption proposed by shamir in...

Documents